Overview

Having gone through our SSL Series on Elliptic Curve Cryptography and Perfect Forward Secrecy you should have a good understanding of these technologies and why they are important to your organization. Our last article demonstrated how to successfully implement ECC and PFS on a LineRate System. This article provides insight into how to verify the implementation of SSL with ECC+PFS on LineRate has been properly done. Specifically, the article will detail how to check for ECC SSL on the wire via WireShark and in the browser. Let's get started!

Testing the Client-side SSL

Confirming ECC+PFS cryptography

By browsing to https://ssloffload.lineratesystems.com, it is observed that the ECC secp384r1 curve is being used to secure the session. Figure 1 details the specific network configuration we now have. Note that ssloffload.lineratesystems.com is a private, RFC1918 address and will not work directly for you.

An investigation into the SSL negotiation details from the client to the LineRate systems shows that the ECDHE cipher suite is indeed used in combination with the secp384r1 ECC curve. A pcap of the SSL/TLS handshake has been included at the end of this article if you would like to investigate this process further. Figure 3 details the highlights of the SSL handshake negotiation detailing that the PFS is present (via the Elliptic Curve Diffie–Hellman Exchange, or ECDHE, cipher suite used) and the ECC Curve that was successfully negotiated is indeed secp384r1:

Testing the server-side request

Confirming reverse proxying via HTTP (not HTTPS)

A network capture for the proxied request from the client to the web server can be seen below in Figure 4. Note that the communication is unencrypted while in the secure datacenter. This proves that the SSL Offload on the LineRate system has been successfully implemented, alleviating our internal servers of the cryptography burden. A pcap of the HTTP request has been included at the end of this article if you would like to investigate this HTTP request further.

Figure 4: Ensuring the SSL client request to the web server has been successfully offloaded on LineRate

Benefits of SSL offload via LineRate

Thus far, you should have a good understanding of Elliptic Curve Cryptography and Perfect Forward Secrecy and why it is important to your organization. An SSL Offload system has now been successfully implemented as well. LineRate offers a very competitve $ per SSL Terminations-per-second and can quickly and easily be help your organization implement an SSL Offloading system. Here are a few additional benefits LineRate offers:

Quickly deploy a more secure application

LineRate is a software-based product that can be quickly deployed on existing x86 bare metal hardware or in virtualized environments.

In fact, a production-ready SSL/TLS offload system can be setup in under an hour.

Simple key management

Configure a few LineRate systems versus hundreds of servers in a traditional SSL deployment

By placing SSL information on a few LineRate instances, security exposure to public key compromise is significantly reduced

Of course, LineRate can facilitate encrypted communications with the application servers if desired

High-performance

LineRate is a high-performance, software based solution that easily incorporates into your existing infrastructure. It can handle the high-throughput and high-connections required for a modern datacenter.

By offloading SSL with LineRate, resources on the servers that handle your application are freed up. This way your application servers can focus on handling your application rather than overhead of SSL.

Move over RSA: ECC crypto is here to stay! From this demonstration, it is easy to see that LineRate is a great way to quickly and easily deploy better performance and security with SSL. Take LineRate and test out its SSL Offloading capabilities for a spin!